Some might think that a single state’s initiatives would not have a significant impact on the U.S. national privacy and data security framework. However, some studies show that California is poised to become the eighth largest economy in the world. One out of eight Americans live in California. These factors, and others, make California an important market for online services. And because California’s standards are some of the strictest in the U.S., many companies adopt California’s standards as part of their baseline standards for privacy and data security rather than adopting state-specific practices. In certain respects, therefore, California laws have set national standards for privacy and data security.
This year, California’s legislature has continued to focus on privacy and data security issues. According to the California AG’s website, at least 14 pieces of privacy legislation have been introduced this year. In the past month alone, three of those bills were signed into law by Governor Jerry Brown.
On September 23, Governor Brown signed into law the "Privacy Rights for California Minors in the Digital World” bill. The law, which goes into effect in January 2015, provides new online protections for minors. Operators that direct online services to minors or have knowledge that minors are using the services will be required to permit minors to access and delete information that the minors posted. Websites and online services will have to provide minors with notice of their rights and how they may exercise them. Operators will not be required to delete information posted by third parties or information that federal or other state laws require operators to maintain. While operators may end up deciding to offer access and deletion rights only to California minors, some companies – whether it be for efficient records management or to avoid upsetting users from other states – may provide all minors with the rights established under California law, establishing a de facto national standard.
On September 27, the governor signed into law legislation amending California’s breach notification requirements. Under the new law, which goes into effect on January 1, 2014, when online credentials allowing access to online or email accounts are compromised – as was the case in several recent and well-publicized breaches, including those suffered by Yahoo and LinkedIn – organizations will have to provide notice to affected individuals even if the actual names of users are not compromised. In recent months, we have seen a number of security incidents involving online credentials that were stored in clear text. California’s Attorney General stated in a recent report that she would make it a priority to investigate breaches involving unencrypted personal information. The new breach notification law along with the Attorney General’s investigatory approach will likely encourage organizations to encrypt online credentials and otherwise strengthen protections for personal information. Given the frequency with which online credentials are compromised and the publicity that often attaches to such breaches, we believe it likely that other states will again follow California’s lead in establishing new breach notification requirements.
Also on September 27, Governor Brown signed into law an amendment to California’s Online Privacy Protection Act. Operators of websites and online services will now be required to disclose whether other parties (e.g., third-party ad networks and analytics providers) may collect personally identifiable information relating to consumers’ online activities over time and across different websites when consumers use the operators’ sites and services. Operators will also be required to disclose how they respond to do-not-track signals and other mechanisms that enable consumers to indicate their preferences regarding the collection over time and across different websites of their online activities. The law will effectively set new disclosure standards for consumer-facing privacy policies.
Organizations should take note of some ambiguities in the legislation: 1) It is not clear whether subsidiaries and affiliates constitute “other parties.” If they are, operators will have to disclose whether affiliates and subsidiaries track consumers’ activities. 2) The law does not provide a definition of “do-not-track.” One of the major sticking points in the proceedings of the World Wide Web Consortium’s Do-Not-Track Working Group has been the establishment of a definition of “tracking.” For now, therefore, a conservative approach to compliance would involve adopting broad definitions of “do-not-track” and “consumer preference mechanisms” in order to ensure that consumer-facing privacy policies comply with California law. Fortunately, the law does give organizations 30 days in which to address alleged deficiencies communicated by the Attorney General. However, organizations may wish to take the opportunity to review their consumer-facing privacy policies now.
Organizations should note that the California legislature has been considering several other privacy and data security bills this year that could also influence the national privacy landscape. Those bills include legislation addressing disclosure requirements for mobile app privacy policies; a bill that would extend restrictions on credit-card purchases to debit-card purchases; and legislation regulating the data practices of mobile applications that allow individuals to manage their health information or care.